IMPORTANT: changes to reCAPTCHA SSL API (api-secure.recaptcha.net) on April 11

6,743 views
Skip to first unread message

reCAPTCHA Support

unread,
Mar 8, 2011, 3:44:14 PM3/8/11
to reCAPTCHA Announcements
Hi reCAPTCHA users,

In April, we will begin to turn down the legacy URL for reCAPTCHA's
HTTPS API. If your site uses reCAPTCHA over SSL, you will need to
make a minor code change before April 11.

If your site does not load the reCAPTCHA challenge API over SSL, you
do not need to make any changes. You can tell if you’re using SSL by
looking at the source of your page(s) which contain reCAPTCHA and
seeing whether you use "https://api-secure.recaptcha.net" anywhere.

The transition involves a very simple change to your code. Any time
between now and April 11, you need to replace all instances of:
https://api-secure.recaptcha.net/XXX
with:
https://www.google.com/recaptcha/api/XXX

If you don’t make the change before April 11, your users might see SSL
certificate warnings when visiting your site. (However, the CAPTCHA
should still load normally, unless the user has restrictive security
settings.)

Most commonly, this shows up as a call to the reCAPTCHA challenge API
on the page that contains reCAPTCHA, such as:

<script src="https://api-secure.recaptcha.net/challenge?
k=XXXYYYZZZ"></
script>

This call needs to change to something like this:

<script src="https://www.google.com/recaptcha/api/challenge?
k=XXXYYYZZZ"></script>

... everything after the /challenge can remain exactly as it was.

Another thing to look for is if you're including the reCAPTCHA
JavaScript over HTTPS. Code that looks like:

<script src="https://api-secure.recaptcha.net/js/recaptcha.js"></
script>
or
<script src="https://api-secure.recaptcha.net/js/recaptcha_ajax.js"></
script>

Would need to change to:
<script src="https://www.google.com/recaptcha/api/js/recaptcha.js"></
script>
or
<script src="https://www.google.com/recaptcha/api/js/
recaptcha_ajax.js"></script>

We're sorry for the inconvenience; please let us know if you have any
questions or concerns about making this change. We will be contacting
SSL-using site owners individually to let them know about this change;
however we wanted to post in the public forum as well, since we may
not have up-to-date contact information for all sites.

Best,
Colin & the rest of the reCAPTCHA team

reCAPTCHA Support

unread,
Apr 11, 2011, 6:30:44 PM4/11/11
to reCAPTCHA Announcements
Reminder: we will be making this change later this week -- most likely
tomorrow. If your site still uses SSL over the legacy servers (api-
secure.recaptcha.net), your users will soon start to see SSL warnings
in their browsers.

Best,
Colin

reCAPTCHA Support

unread,
Apr 12, 2011, 9:11:33 AM4/12/11
to reCAPTCHA Announcements
This is starting now.

> --
> You received this message because you are subscribed to the Google Groups "reCAPTCHA Announcements" group.
> To post to this group, send email to recaptcha...@googlegroups.com.
> To unsubscribe from this group, send email to recaptcha-annou...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/recaptcha-announce?hl=en.
>
>

--
reCAPTCHA: stop spam, read books
http://www.google.com/recaptcha

reCAPTCHA Support

unread,
Apr 25, 2011, 11:11:21 AM4/25/11
to reCAPTCHA Announcements
Hi all,

We will be pushing this change live again on Wednesday morning (April
27). If you're using SSL and haven't updated your site to use the new
URLs yet, it will break again on Wednesday.

Colin

reCAPTCHA Support

unread,
Apr 27, 2011, 1:54:09 PM4/27/11
to reCAPTCHA Announcements
This is starting now.
Reply all
Reply to author
Forward
0 new messages